Which SIEM platforms have a T1037 detection rule?

df00tech provides T1037 (Boot or Logon Initialization Scripts) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1037 detection?

The T1037 detection is rated high severity with medium confidence.

What are common false positives for T1037?

Common false positives for T1037 include: Group Policy administrators deploying legitimate logon scripts via SYSVOL/NETLOGON shares during policy updates; Configuration management tools (Ansible, Chef, Puppet, SCCM) writing startup scripts to managed endpoints as part of authorized deployments; Linux package managers (apt, yum, dnf, rpm) creating init.d service scripts when installing server software (nginx, apache, mysql).

T1037

Boot or Logon Initialization Scripts

Q: What data sources are required to detect Boot or Logon Initialization Scripts (T1037)?

Detecting Boot or Logon Initialization Scripts requires the following data sources: Registry: Registry Key Modification, File: File Creation, File: File Modification, Process: Process Creation, Microsoft Defender for Endpoint.

Persistence Privilege Escalation Last updated: April 16, 2026

Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. On Windows, logon scripts can be set via the UserInitMprLogonScript registry value under HKCU\Environment, or via Group Policy. On Linux and macOS, adversaries target RC scripts (/etc/rc.d/, /etc/init.d/, /etc/rc.local), systemd unit files, login hooks, and startup items. These mechanisms execute with elevated privileges and survive reboots, making them effective persistence mechanisms. Threat groups including APT41, APT29, Rocke, and UNC3886 have all leveraged initialization script abuse, targeting both enterprise endpoints and network appliances.

What is T1037 Boot or Logon Initialization Scripts?

Boot or Logon Initialization Scripts (T1037) maps to the Persistence and Privilege Escalation tactics — the adversary is trying to maintain their foothold in MITRE ATT&CK.

This page provides production-ready detection logic for Boot or Logon Initialization Scripts, covering the data sources and telemetry it touches: Registry: Registry Key Modification, File: File Creation, File: File Modification, Process: Process Creation, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Persistence Privilege Escalation
Technique: T1037 Boot or Logon Initialization Scripts
Canonical reference: https://attack.mitre.org/techniques/T1037/

Microsoft Sentinel / Defender

kusto

let WindowsLogonScriptKeys = dynamic([
  "UserInitMprLogonScript",
  "\\Environment\\UserInitMprLogonScript"
]);
let LinuxInitPaths = dynamic([
  "/etc/rc.d/", "/etc/init.d/", "/etc/rc.local", "/etc/init/",
  "/etc/rc0.d/", "/etc/rc1.d/", "/etc/rc2.d/", "/etc/rc3.d/",
  "/etc/rc4.d/", "/etc/rc5.d/", "/etc/rc6.d/"
]);
let SuspiciousExtensions = dynamic([".sh", ".py", ".pl", ".rb", ".bash"]);
// Branch 1: Windows registry-based logon scripts
let WindowsLogonScript = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has "\\Environment" and RegistryValueName =~ "UserInitMprLogonScript"
| extend DetectionBranch = "Windows-LogonScript-Registry"
| extend Detail = strcat("Key: ", RegistryKey, " | Value: ", RegistryValueData)
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey,
          RegistryValueName, RegistryValueData, InitiatingProcessFileName,
          InitiatingProcessCommandLine, DetectionBranch, Detail;
// Branch 2: Suspicious file writes into Windows Startup / logon script paths
let WindowsStartupFile = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (
    "\\Windows\\System32\\GroupPolicy",
    "\\Windows\\SysWOW64\\GroupPolicy",
    "SYSVOL",
    "\\netlogon\\"
  )
| where FileName has_any (".bat", ".cmd", ".vbs", ".ps1", ".js", ".wsf")
| extend DetectionBranch = "Windows-StartupScript-FileCreate"
| extend Detail = strcat("File: ", FolderPath, "\\", FileName)
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
          ActionType, RegistryKey="", RegistryValueName="", RegistryValueData="",
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionBranch, Detail;
// Branch 3: Linux/macOS init script file creation (via Syslog/AuditLogs)
let LinuxInitScript = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (LinuxInitPaths)
| extend DetectionBranch = "Linux-InitScript-FileCreate"
| extend Detail = strcat("File: ", FolderPath, "/", FileName)
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
          ActionType, RegistryKey="", RegistryValueName="", RegistryValueData="",
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionBranch, Detail;
// Branch 4: macOS login hook configuration via 'defaults write'
let MacOSLoginHook = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "defaults"
| where ProcessCommandLine has "LoginHook" or ProcessCommandLine has "LogoutHook"
| extend DetectionBranch = "macOS-LoginHook-Configured"
| extend Detail = ProcessCommandLine
| project Timestamp, DeviceName, AccountName,
          ActionType="ProcessCreate", RegistryKey="", RegistryValueName="", RegistryValueData="",
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionBranch, Detail;
union WindowsLogonScript, WindowsStartupFile, LinuxInitScript, MacOSLoginHook
| sort by Timestamp desc

Detects Boot or Logon Initialization Script abuse across Windows, Linux, and macOS. Uses four detection branches: (1) Registry modifications to HKCU\Environment\UserInitMprLogonScript for Windows per-user logon scripts; (2) Script file creation in Windows Group Policy and NETLOGON directories used for network logon scripts; (3) File creation in Linux RC and init.d directories targeted by malware like RotaJakiro, Rocke, and VIRTUALPITA; (4) macOS login hook configuration via the 'defaults write' command targeting LoginHook and LogoutHook keys.

high severity medium confidence

Data Sources

Registry: Registry Key Modification File: File Creation File: File Modification Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents DeviceFileEvents DeviceProcessEvents

False Positives

Group Policy administrators deploying legitimate logon scripts via SYSVOL/NETLOGON shares during policy updates
Configuration management tools (Ansible, Chef, Puppet, SCCM) writing startup scripts to managed endpoints as part of authorized deployments
Linux package managers (apt, yum, dnf, rpm) creating init.d service scripts when installing server software (nginx, apache, mysql)
System administrators manually configuring logon scripts for mapped drives, printer connections, or environment variable setup
macOS enterprise MDM solutions (Jamf, Mosyle) configuring LoginHooks for device enrollment or management tasks

Splunk

spl

| union
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
  | eval TargetObject=coalesce(TargetObject, RegistryPath)
  | where match(TargetObject, "(?i)\\Environment\\UserInitMprLogonScript")
  | eval DetectionBranch="Windows-LogonScript-Registry"
  | eval Detail=TargetObject
  | table _time, host, User, TargetObject, Details, Image, CommandLine, DetectionBranch, Detail
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  | where match(TargetFilename, "(?i)(\\\\GroupPolicy\\\\|\\\\SYSVOL\\\\|\\\\netlogon\\\\)")
    AND match(TargetFilename, "(?i)\.(bat|cmd|vbs|ps1|js|wsf)$")
  | eval DetectionBranch="Windows-StartupScript-FileCreate"
  | eval Detail=TargetFilename
  | table _time, host, User, TargetFilename, Image, CommandLine, DetectionBranch, Detail
]
[
  search index=linux sourcetype=syslog
    ("init.d" OR "rc.local" OR "rc.d" OR "/etc/init/")
    ("chmod" OR "cp" OR "mv" OR "echo" OR "tee" OR "install")
  | rex field=_raw "(?P<action>chmod|cp|mv|echo|tee|install)\s+.*(?P<path>/etc/(rc\.d|init\.d|init|rc\.local)[^\s]*)"
  | where isnotnull(path)
  | eval DetectionBranch="Linux-InitScript-Activity"
  | eval Detail=path
  | table _time, host, path, action, _raw, DetectionBranch, Detail
]
[
  search index=linux sourcetype="linux_auditd"
    (key="persistence" OR syscall=rename OR syscall=write OR syscall=open)
    (name="/etc/init.d*" OR name="/etc/rc.d*" OR name="/etc/rc.local" OR name="/etc/init/*")
  | eval DetectionBranch="Linux-AuditD-InitScript"
  | eval Detail=name
  | table _time, host, auid, uid, name, syscall, exe, DetectionBranch, Detail
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    Image="*/defaults" CommandLine="*LoginHook*"
  | eval DetectionBranch="macOS-LoginHook-Configured"
  | eval Detail=CommandLine
  | table _time, host, User, Image, CommandLine, ParentImage, DetectionBranch, Detail
]
| sort - _time

Detects Boot or Logon Initialization Script abuse using Sysmon and Linux telemetry across four branches: (1) Sysmon Event ID 13 (Registry Value Set) targeting the UserInitMprLogonScript registry key used for Windows per-user logon scripts; (2) Sysmon Event ID 11 (File Create) detecting script drops in GroupPolicy, SYSVOL, and NETLOGON directories; (3) Linux syslog analysis for commands writing to /etc/init.d/ and related RC directories; (4) Linux auditd records for file write syscalls targeting init script paths; and (5) macOS defaults command used to configure LoginHook or LogoutHook persistence.

high severity medium confidence

Data Sources

Registry: Registry Key Modification File: File Creation Process: Process Creation Sysmon Event ID 13 Sysmon Event ID 11 Sysmon Event ID 1 Linux auditd Linux syslog

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational linux_auditd syslog

False Positives

Group Policy administrators deploying legitimate logon scripts via SYSVOL/NETLOGON shares during policy updates
Configuration management tools (Ansible, Chef, Puppet, SCCM) writing startup scripts to managed endpoints as part of authorized deployments
Linux package managers (apt, yum, dnf, rpm) creating init.d service scripts when installing server software
System administrators manually configuring logon scripts for mapped drives, printer connections, or environment variable setup
macOS enterprise MDM solutions (Jamf, Mosyle) configuring LoginHooks for device enrollment or management tasks

Elastic Security (EQL)

eql

any where
  (
    // Branch 1: Windows registry-based logon script persistence
    (event.category == "registry" and event.type in ("creation", "change") and
     registry.path : ("*\\Environment\\UserInitMprLogonScript*", "*UserInitMprLogonScript*"))
    or
    // Branch 2: Script file written to Windows Group Policy / SYSVOL / netlogon paths
    (event.category == "file" and event.type in ("creation", "change") and
     file.path : ("*\\GroupPolicy\\*", "*\\SYSVOL\\*", "*\\netlogon\\*") and
     file.extension in ("bat", "cmd", "vbs", "ps1", "js", "wsf"))
    or
    // Branch 3: Linux init script file creation or modification
    (event.category == "file" and event.type in ("creation", "change") and
     file.path : ("/etc/rc.d/*", "/etc/init.d/*", "/etc/rc.local", "/etc/init/*",
                  "/etc/rc0.d/*", "/etc/rc1.d/*", "/etc/rc2.d/*", "/etc/rc3.d/*",
                  "/etc/rc4.d/*", "/etc/rc5.d/*", "/etc/rc6.d/*"))
    or
    // Branch 4: macOS login hook configured via defaults write
    (event.category == "process" and event.type == "start" and
     process.name == "defaults" and
     process.args : ("*LoginHook*", "*LogoutHook*"))
  )

Detects T1037 Boot or Logon Initialization Script persistence across Windows, Linux, and macOS. Covers four detection branches: (1) Windows registry modification of UserInitMprLogonScript under HKCU\Environment, (2) script file writes into GroupPolicy/SYSVOL/netlogon directories, (3) file creation or modification in Linux RC/init.d paths, and (4) macOS login hook configuration via the 'defaults write' command. Uses Elastic Common Schema event categories for cross-platform coverage.

high severity high confidence

Data Sources

Elastic Endpoint Security (endpoint agent) Auditbeat (Linux file integrity, process) Winlogbeat (Windows Sysmon, Security Event Log) Fleet-managed Elastic Agent

Required Tables

logs-endpoint.events.registry-* logs-endpoint.events.file-* logs-endpoint.events.process-* auditbeat-* winlogbeat-*

False Positives

Legitimate IT administrators setting domain logon scripts via Group Policy Object (GPO) management consoles — UserInitMprLogonScript modifications from known admin hosts should be baselined and excluded.
Configuration management platforms (Ansible, Puppet, Chef, SaltStack) that modify /etc/init.d/ or /etc/rc.d/ scripts as part of automated service deployments on Linux systems.
macOS MDM solutions such as Jamf Pro or Mosyle that configure login hooks or logout hooks for endpoint management, software deployment, or compliance enforcement.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  logsourcename(logSourceId) AS "Log Source",
  username AS "Username",
  hostname AS "Hostname",
  sourceip AS "Source IP",
  QIDNAME(qid) AS "Event Name",
  CATEGORYNAME(category) AS "Category",
  UTF8(payload) AS "Raw Payload",
  CASE
    WHEN UTF8(payload) ILIKE '%UserInitMprLogonScript%' THEN 'Windows-LogonScript-Registry'
    WHEN UTF8(payload) ILIKE '%GroupPolicy%' OR UTF8(payload) ILIKE '%SYSVOL%' OR UTF8(payload) ILIKE '%netlogon%' THEN 'Windows-StartupScript-FileCreate'
    WHEN UTF8(payload) ILIKE '%/etc/init.d%' OR UTF8(payload) ILIKE '%/etc/rc.d%' OR UTF8(payload) ILIKE '%/etc/rc.local%' OR UTF8(payload) ILIKE '%/etc/init/%' THEN 'Linux-InitScript-Activity'
    WHEN UTF8(payload) ILIKE '%LoginHook%' OR UTF8(payload) ILIKE '%LogoutHook%' THEN 'macOS-LoginHook-Configured'
    ELSE 'Unknown'
  END AS "Detection Branch"
FROM events
WHERE
  starttime > NOW() - 86400000
  AND (
    -- Branch 1: Windows registry logon script persistence
    (
      CATEGORYNAME(category) ILIKE '%registry%'
      AND UTF8(payload) ILIKE '%UserInitMprLogonScript%'
      AND UTF8(payload) ILIKE '%\Environment%'
    )
    OR
    -- Branch 2: Script file written to Group Policy / SYSVOL / netlogon
    (
      CATEGORYNAME(category) ILIKE '%file%'
      AND (
        UTF8(payload) ILIKE '%GroupPolicy%'
        OR UTF8(payload) ILIKE '%SYSVOL%'
        OR UTF8(payload) ILIKE '%netlogon%'
      )
      AND (
        UTF8(payload) ILIKE '%.bat%'
        OR UTF8(payload) ILIKE '%.cmd%'
        OR UTF8(payload) ILIKE '%.ps1%'
        OR UTF8(payload) ILIKE '%.vbs%'
        OR UTF8(payload) ILIKE '%.js%'
        OR UTF8(payload) ILIKE '%.wsf%'
      )
    )
    OR
    -- Branch 3: Linux init/rc script creation or modification
    (
      LOGSOURCETYPENAME(devicetype) IN ('Linux OS', 'Universal DSM', 'Syslog')
      AND (
        UTF8(payload) ILIKE '%/etc/init.d%'
        OR UTF8(payload) ILIKE '%/etc/rc.d%'
        OR UTF8(payload) ILIKE '%/etc/rc.local%'
        OR UTF8(payload) ILIKE '%/etc/init/%'
        OR UTF8(payload) ILIKE '%/etc/rc0.d%'
        OR UTF8(payload) ILIKE '%/etc/rc1.d%'
        OR UTF8(payload) ILIKE '%/etc/rc2.d%'
        OR UTF8(payload) ILIKE '%/etc/rc3.d%'
        OR UTF8(payload) ILIKE '%/etc/rc4.d%'
        OR UTF8(payload) ILIKE '%/etc/rc5.d%'
        OR UTF8(payload) ILIKE '%/etc/rc6.d%'
      )
      AND (
        UTF8(payload) ILIKE '%chmod%'
        OR UTF8(payload) ILIKE '% cp %'
        OR UTF8(payload) ILIKE '% mv %'
        OR UTF8(payload) ILIKE '%tee %'
        OR UTF8(payload) ILIKE '%install %'
        OR UTF8(payload) ILIKE '% echo %'
      )
    )
    OR
    -- Branch 4: macOS login hook via defaults write
    (
      LOGSOURCETYPENAME(devicetype) IN ('Apple Mac OS X', 'Universal DSM', 'Syslog')
      AND (
        UTF8(payload) ILIKE '%defaults write%'
        OR UTF8(payload) ILIKE '%defaults%LoginHook%'
      )
      AND (
        UTF8(payload) ILIKE '%LoginHook%'
        OR UTF8(payload) ILIKE '%LogoutHook%'
      )
    )
  )
ORDER BY devicetime DESC
LIMIT 500

Detects T1037 Boot or Logon Initialization Script abuse across Windows, Linux, and macOS. Searches QRadar event payloads for indicators of registry-based Windows logon script persistence (UserInitMprLogonScript), script drops into Group Policy/SYSVOL/netlogon directories, Linux RC and init.d script manipulation via common shell commands, and macOS login hook configuration via the 'defaults write' command. Filters by log source type to reduce cross-platform false positives.

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log (via WinCollect or Sysmon) Linux OS syslog and auditd (Universal DSM or Linux OS DSM) Apple macOS syslog (Universal DSM) Sysmon for Linux

Required Tables

events

False Positives

Domain administrators legitimately modifying SYSVOL or netlogon logon scripts for Group Policy software deployment — correlate against change management tickets and known admin accounts.
Package managers (apt, yum, dnf, rpm) writing init scripts to /etc/init.d/ or /etc/rc.d/ during software installation on Linux servers — baseline package manager activity and exclude known package manager binary paths.
macOS enterprise MDM platforms (Jamf Pro, Microsoft Intune for Mac) that configure login/logout hooks for policy enforcement — whitelist known MDM agent processes and management server IP ranges.

Sumo Logic CSE

sql

(_sourceCategory=windows/sysmon OR _sourceCategory=windows/security OR _sourceCategory=linux/syslog OR _sourceCategory=linux/auditd OR _sourceCategory=macos/syslog OR _sourceCategory=endpoint*)
| where (
    // Branch 1: Sysmon EventID 13 - Registry Value Set targeting UserInitMprLogonScript
    (EventID = "13" AND TargetObject matches "(?i).*\\Environment.*UserInitMprLogonScript.*")
    OR
    // Branch 1b: Windows Security Event 4657 - Registry modification
    (EventID = "4657" AND ObjectName matches "(?i).*\\Environment.*UserInitMprLogonScript.*")
    OR
    // Branch 2: Sysmon EventID 11 - File created in GroupPolicy/SYSVOL/netlogon with script extension
    (EventID = "11" AND TargetFilename matches "(?i).*(\\GroupPolicy\\|\\SYSVOL\\|\\netlogon\\).*" AND TargetFilename matches "(?i).*\.(bat|cmd|vbs|ps1|js|wsf)$")
    OR
    // Branch 3: Linux syslog - write activity to init script directories
    (_sourceCategory matches "(?i).*linux.*" AND (
      _raw matches "(?i).*/etc/(rc\.d|init\.d|rc\.local|init/).*"
    ) AND (
      _raw matches "(?i).*(chmod|cp|mv|tee|install|echo|write).*"
    ))
    OR
    // Branch 3b: Linux auditd - syscall writes to init paths
    (_sourceCategory matches "(?i).*auditd.*" AND (
      name matches "(?i)/etc/(init\.d|rc\.d|rc\.local|init/).*"
    ) AND (
      syscall matches "(write|open|rename|truncate|creat)"
    ))
    OR
    // Branch 4: macOS defaults write LoginHook
    (process_name = "defaults" AND _raw matches "(?i).*(LoginHook|LogoutHook).*")
    OR
    // Branch 4b: Sysmon EventID 1 - macOS defaults process launch
    (EventID = "1" AND Image matches "(?i).*defaults$" AND CommandLine matches "(?i).*(LoginHook|LogoutHook).*")
  )
| eval detection_branch = if(EventID = "13" AND TargetObject matches "(?i).*UserInitMprLogonScript.*", "Windows-LogonScript-Registry",
    if(EventID = "4657" AND ObjectName matches "(?i).*UserInitMprLogonScript.*", "Windows-LogonScript-Registry",
    if(EventID = "11" AND TargetFilename matches "(?i).*(GroupPolicy|SYSVOL|netlogon).*", "Windows-StartupScript-FileCreate",
    if(_sourceCategory matches "(?i).*auditd.*", "Linux-AuditD-InitScript",
    if(_sourceCategory matches "(?i).*linux.*", "Linux-InitScript-Syslog",
    if(_raw matches "(?i).*(LoginHook|LogoutHook).*", "macOS-LoginHook-Configured", "Other"))))))
| eval indicator = if(isNull(TargetObject), if(isNull(TargetFilename), if(isNull(name), _raw, name), TargetFilename), TargetObject)
| eval actor = coalesce(User, auid, process_name, "unknown")
| count by detection_branch, _sourceHost, actor, indicator
| sort by _count desc

Detects T1037 Boot or Logon Initialization Script abuse using Sumo Logic CSE across multiple platforms and log sources. Covers Windows Sysmon EventID 13 (registry value set) and EventID 11 (file create) for registry-based logon script persistence and Group Policy/SYSVOL script drops, Linux syslog and auditd for init.d/rc.d script writes, and macOS syslog and Sysmon EventID 1 for login hook configuration via 'defaults write'. Results are grouped by detection branch, host, and actor for analyst triage.

high severity high confidence

Data Sources

Windows Sysmon (EventID 1, 11, 13) via Sumo Logic Windows source Windows Security Event Log (EventID 4657) via Sumo Logic Windows source Linux syslog (/var/log/syslog, /var/log/messages) via Sumo Logic installed collector Linux auditd logs via Sumo Logic installed collector macOS unified system log via Sumo Logic macOS source

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security _sourceCategory=linux/syslog _sourceCategory=linux/auditd _sourceCategory=macos/syslog

False Positives

Automated software deployment pipelines (Jenkins, GitLab CI, GitHub Actions self-hosted runners) that write scripts to SYSVOL or netlogon as part of GPO-based software distribution — correlate against CI/CD service account names.
Linux system administrators running configuration management (Ansible playbooks, Chef cookbooks) that legitimately install or update init scripts in /etc/init.d/ during scheduled maintenance windows.
Corporate macOS device enrollment processes using Jamf or similar MDM that configure login/logout hooks as standard endpoint management controls — baseline MDM agent PIDs and signing identities.

Google Chronicle / SecOps

yaral

rule t1037_boot_logon_initialization_scripts {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1037 Boot or Logon Initialization Script persistence on Windows, Linux, and macOS"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1037"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1037/"
    reference = "https://attack.mitre.org/techniques/T1037/"
    created = "2026-04-16"
    version = "1.0"

  events:
    (
      // Branch 1: Windows registry logon script persistence via UserInitMprLogonScript
      (
        $e.metadata.event_type = "REGISTRY_MODIFICATION"
        and (
          re.regex($e.target.registry.registry_key, `(?i).*\\Environment.*`)
          or re.regex($e.target.registry.registry_value_name, `(?i)UserInitMprLogonScript`)
        )
        and re.regex($e.target.registry.registry_key, `(?i)UserInitMprLogonScript|\\Environment`)
      )
      or
      // Branch 2: Script file dropped into Group Policy, SYSVOL, or netlogon directories
      (
        $e.metadata.event_type = "FILE_CREATION"
        and re.regex($e.target.file.full_path, `(?i).*(GroupPolicy|SYSVOL|netlogon).*`)
        and re.regex($e.target.file.full_path, `(?i)\.(bat|cmd|vbs|ps1|js|wsf)$`)
      )
      or
      // Branch 3: Linux init/rc script created or modified
      (
        $e.metadata.event_type = "FILE_CREATION"
        and re.regex($e.target.file.full_path, `(?i)/etc/(rc\.d|init\.d|rc\.local|init/|rc[0-6]\.d)/.*`)
      )
      or
      // Branch 3b: Linux init script file modification event
      (
        $e.metadata.event_type = "FILE_MODIFICATION"
        and re.regex($e.target.file.full_path, `(?i)/etc/(rc\.d|init\.d|rc\.local|init/|rc[0-6]\.d)/.*`)
      )
      or
      // Branch 4: macOS login hook configured via defaults write command
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and (
          re.regex($e.principal.process.file.full_path, `(?i).*\/defaults$`)
          or $e.principal.process.file.basename = "defaults"
        )
        and re.regex($e.target.process.command_line, `(?i).*(LoginHook|LogoutHook).*`)
      )
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if($e.metadata.event_type = "REGISTRY_MODIFICATION", 85,
      if($e.metadata.event_type = "FILE_CREATION" and re.regex($e.target.file.full_path, `(?i).*(GroupPolicy|SYSVOL|netlogon).*`), 80,
      if($e.metadata.event_type = "FILE_CREATION" and re.regex($e.target.file.full_path, `(?i)/etc/(rc|init).*`), 75,
      if($e.metadata.event_type = "FILE_MODIFICATION" and re.regex($e.target.file.full_path, `(?i)/etc/(rc|init).*`), 70,
      if($e.metadata.event_type = "PROCESS_LAUNCH" and re.regex($e.target.process.command_line, `(?i).*(LoginHook|LogoutHook).*`), 80, 50)))))
    )
    $detection_branch = if($e.metadata.event_type = "REGISTRY_MODIFICATION", "Windows-LogonScript-Registry",
      if($e.metadata.event_type = "FILE_CREATION" and re.regex($e.target.file.full_path, `(?i).*(GroupPolicy|SYSVOL|netlogon).*`), "Windows-StartupScript-FileCreate",
      if($e.metadata.event_type = "FILE_CREATION" and re.regex($e.target.file.full_path, `(?i)/etc/(rc|init).*`), "Linux-InitScript-FileCreate",
      if($e.metadata.event_type = "FILE_MODIFICATION" and re.regex($e.target.file.full_path, `(?i)/etc/(rc|init).*`), "Linux-InitScript-FileModify",
      if($e.metadata.event_type = "PROCESS_LAUNCH", "macOS-LoginHook-Configured", "Unknown")))))    
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $initiating_process = $e.principal.process.file.basename

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting T1037 Boot or Logon Initialization Script persistence across Windows, Linux, and macOS using UDM event types. Covers four branches: Windows registry modification of UserInitMprLogonScript (REGISTRY_MODIFICATION), script file drops into Group Policy/SYSVOL/netlogon (FILE_CREATION), Linux RC/init.d script creation or modification (FILE_CREATION, FILE_MODIFICATION), and macOS login hook configuration via 'defaults write' (PROCESS_LAUNCH). Risk scoring is outcome-based with per-branch weights. Matches over a 5-minute window per hostname.

high severity high confidence

Data Sources

Chronicle UDM (Unified Data Model) ingestion from endpoint agents Google Chronicle SIEM with Windows event log forwarding Chronicle Linux log ingestion via Bindplane or forwarders Chronicle macOS event collection via Endpoint Detection agents Microsoft Defender for Endpoint via Chronicle integration

Required Tables

UDM events (REGISTRY_MODIFICATION) UDM events (FILE_CREATION) UDM events (FILE_MODIFICATION) UDM events (PROCESS_LAUNCH)

False Positives

Group Policy administrators legitimately creating or modifying batch/PowerShell scripts in SYSVOL or netlogon shares for domain-wide software deployment — create reference lists of authorized GPO admin accounts and exclude from rule or reduce risk score.
Linux package installation via apt/yum/dnf that adds service init scripts to /etc/init.d/ or /etc/rc.d/ — these should match known package management binary paths (dpkg, rpm, yum) and can be excluded using initiating process filtering.
macOS fleet management tools (Jamf Pro, Mosyle, Microsoft Intune) that configure login or logout hooks as part of standard device enrollment and policy enforcement — baseline MDM agent signatures and exclude by principal process identity.

CrowdStrike LogScale (CQL)

cql

// T1037 - Boot or Logon Initialization Scripts
// Detect Windows registry logon script, startup script file drops, Linux init script writes, and macOS login hook config

#event_simpleName in (RegGenericValueUpdate, RegGenericKeyCreate, RegValueUpdate, FileWritten, PeFileWritten, ProcessRollup2)

| case {
    // Branch 1: Windows registry logon script - UserInitMprLogonScript
    #event_simpleName in (RegGenericValueUpdate, RegGenericKeyCreate, RegValueUpdate)
    | regex(field=RegObjectName, regex="(?i)\\\\Environment\\\\UserInitMprLogonScript", strict=false)
    | eval DetectionBranch="Windows-LogonScript-Registry"
    | eval Indicator=RegObjectName ;

    // Branch 2: Script file written to GroupPolicy / SYSVOL / netlogon
    #event_simpleName in (FileWritten, PeFileWritten)
    | regex(field=TargetFileName, regex="(?i)(\\\\GroupPolicy\\\\|\\\\SYSVOL\\\\|\\\\netlogon\\\\)", strict=false)
    | regex(field=TargetFileName, regex="(?i)\.(bat|cmd|vbs|ps1|js|wsf)$", strict=false)
    | eval DetectionBranch="Windows-StartupScript-FileCreate"
    | eval Indicator=TargetFileName ;

    // Branch 3: Linux init/rc script file written
    #event_simpleName in (FileWritten)
    | regex(field=TargetFileName, regex="(?i)/etc/(rc\.d|init\.d|rc\.local|init/|rc[0-6]\.d)/", strict=false)
    | eval DetectionBranch="Linux-InitScript-FileWrite"
    | eval Indicator=TargetFileName ;

    // Branch 4: macOS defaults write LoginHook / LogoutHook
    #event_simpleName = ProcessRollup2
    | regex(field=ImageFileName, regex="(?i)(/usr/bin/defaults|/bin/defaults)$", strict=false)
    | regex(field=CommandLine, regex="(?i)(LoginHook|LogoutHook)", strict=false)
    | eval DetectionBranch="macOS-LoginHook-Configured"
    | eval Indicator=CommandLine ;

    // Exclude non-matching events
    *
    | eval DetectionBranch="_no_match"
}

| DetectionBranch != "_no_match"

| eval Actor=coalesce(UserName, UID, "unknown")
| eval Host=coalesce(ComputerName, aip, "unknown")

| table([timestamp, Host, Actor, DetectionBranch, #event_simpleName, Indicator, ImageFileName, CommandLine, ParentBaseFileName])
| sort(timestamp, order=desc)

CrowdStrike LogScale (Falcon) CQL query detecting T1037 Boot or Logon Initialization Script persistence. Uses Falcon telemetry event types: RegGenericValueUpdate/RegGenericKeyCreate/RegValueUpdate for Windows registry logon script (UserInitMprLogonScript), FileWritten/PeFileWritten for script drops into GroupPolicy/SYSVOL/netlogon directories and Linux init.d/rc.d paths, and ProcessRollup2 for macOS login hook configuration via 'defaults write'. Outputs a flat table with detection branch, initiating process, host, and indicator for analyst triage. Designed for use with CrowdStrike Falcon endpoint telemetry in LogScale.

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (Windows sensor) CrowdStrike Falcon for Linux (Linux sensor) CrowdStrike Falcon for macOS (macOS sensor) CrowdStrike Falcon LogScale (Humio) SIEM ingestion

Required Tables

Falcon telemetry: RegGenericValueUpdate Falcon telemetry: RegGenericKeyCreate Falcon telemetry: RegValueUpdate Falcon telemetry: FileWritten Falcon telemetry: PeFileWritten Falcon telemetry: ProcessRollup2

False Positives

Legitimate system administrators or Active Directory management tools (ADUC, GPMC, PowerShell RSAT modules) configuring UserInitMprLogonScript for domain users as an authorized policy deployment mechanism — alert volume should be low and restricted to admin workstations.
Software packaging tools (WiX, InstallShield, Inno Setup) that write PowerShell or batch scripts into GroupPolicy or netlogon paths as part of MSI or software installer deployments in enterprise environments.
Linux package managers (rpm, dpkg, apt) or configuration management agents (Puppet agent, Chef client) that write or update init scripts in /etc/init.d/ or /etc/rc.d/ as part of automated package installation or system provisioning workflows.

Sigma rule & cross-platform mapping

The detection logic for Boot or Logon Initialization Scripts (T1037) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1037 Sigma rules on detection.fyi

Platform-specific guides for T1037

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-16 Research depth: deep

References (9)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Windows Logon Script via UserInitMprLogonScript Registry
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKCU\Environment\UserInitMprLogonScript, Details=%TEMP%\argus-test-logon.bat, Image=reg.exe. Sysmon Event ID 11 (File Create): TargetFilename=%TEMP%\argus-test-logon.bat. DeviceRegistryEvents in MDE will show ActionType=RegistryValueSet with RegistryValueName=UserInitMprLogonScript.
Test 2Linux RC Script Persistence via init.d
Expected signal: Linux auditd SYSCALL=openat/write with name=/etc/init.d/argus-test and exe=bash or exe=tee. Syslog entries for update-rc.d execution. If auditd rule -w /etc/init.d -p wa -k init_script_write is in place, ausearch will return the creation event with auid, uid, pid, and full command context. File creation timestamp visible via stat /etc/init.d/argus-test.
Test 3macOS Login Hook Configuration
Expected signal: Sysmon for macOS Event ID 1 (Process Create): Image=defaults, CommandLine contains 'write com.apple.loginwindow LoginHook'. File create event for /tmp/argus-loginhook.sh. MDE DeviceProcessEvents will show FileName=defaults with ProcessCommandLine referencing LoginHook. On execution at next login: launchd spawning the hook script as parent.
Test 4Windows Network Logon Script via Group Policy INI
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename in %SYSTEMROOT%\System32\GroupPolicy\User\Scripts\Logon\ with .bat extension. DeviceFileEvents ActionType=FileCreated for both the script and scripts.ini. Security Event ID 4688 (cmd.exe executing mkdir and echo). On next logon: userinit.exe spawning the script from the GroupPolicy Scripts directory.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1037 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Boot or Logon Initialization Scripts

What is T1037 Boot or Logon Initialization Scripts?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1037

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Sub-techniques (5)

Related Techniques

Same Tactic: Persistence

Popular Detections

What is T1037 Boot or Logon Initialization Scripts?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1037

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Sub-techniques (5)

Related Techniques

Same Tactic: Persistence

Popular Detections

Get new detections in your inbox